Photo of stones in a bowl
Common Solutions Group: StoneSoup.org Common Solutions Group: StoneSoup.org

Advance Program

 ***************************
Joint CSG/Microsoft Workshop
An In-Depth Technical Exchange on NT5 and Associated Technologies
Advance Program
***************************

Purpose:
--------
The purpose of this workshop is to collect the core technical people
from the CSG organizations, along with the core technical architects
in the NT5 development team, for in depth discussion based in large
part on a set of questions and issues that is identified in advance.
Due to the large commitment of intellectual resources required on
both sides, it is essential that the technical value of the program
match the technical commitment of the participants.


Details:
--------
 Date: Monday June 8 - Wednesday June 10
 Time: 9am-5:30 each day
 Where: Seattle/Redmond, WA
 Hotel: Location and Reservation Information forthcoming


Attendance:
-----------
  We've planned for up to 100 people and are organizing the program to
  provide a very high order of technical interchange.  There's room for
  up to three of your most qualified, technical folks, those who'll be
  responsible for the systems/network analysis and integration of NT5
  technologies on your campus.


Program:
--------
  The three-day workshop will be organized into four basic sections:
	(1) Monday morning: Welcome and short review of some current
	    work to date
		. MIT Project Pismere 
http://web.mit.edu/pismere/
		. CMU Project Orpheus [URL on the way]
	(2) Monday afternoon - Tuesday: Broad Interest Technical Q/A
	    the technical Q/A sessions that pretty much everybody
	    wants to know about (e.g. Active Directory)
	(3) Tuesday - Wednesday morning: Particular-Interest Q/A
	    we expect to run 2-3 parallel sessions for the more
	    specialized technical topics where there is less
	    overlap among the technical experts.
	(4) Wednesday afternoon: General Q/A and Wrap-up
	    Things that came up over the last two days but didn't
	    get covered, what we'll take away..


Topics:
-------
  The majority of the program will be focused on technical Q/A on
  *our* most pressing issues relative to the integration of NT5 on
  our campuses.  Many of these issues will be quite specific, and
  should lead to some detailed engineering discussions.  In order
  to get the *best* list of issues and questions, we're asking that
  each CSG member institution submit their Top-10 technical issues,
  questions, and concerns relative to NT5, plus the top 3-5 results
  they'd like to take away from the workshop.  We will collate the
  items as we receive them and post them without attribution through
  the CSG web site.  If answers or responses become available from
  Microsoft before the workshop, they will also be posted there.
  
  Included below is a first draft of issues and questions compiled by
  the program committee so far.


Schedule (Red-Letter Dates):
----------------------------
5/12/98	  program announcement public
5/15/98	  21-day advance purchase dealine for airline tickets
5/20/98	  CSG Institutions submit Top-10 Questions and Top-3 Desired
	    Results to the program committee (mailto:poepping@cmu.edu)
5/22/98	  Draft 2 questions/topics available through CSG website
5/29/98	  Workshop Program finalized


Program Committee
-----------------
  Terry Gray		University of Washington
  Paul Hill		MIT
  RL "Bob" Morgan	Stanford
  Mark Poepping	Carnegie Mellon
  David Ladd		Microsoft
  Todd Needham		Microsoft



-----------------------------
Draft 1: Issues and Questions
-----------------------------

High-Level Issues/Questions:
    What we need... "Is academia different?"
   1) All of the CSG schools have privately owned machines in their
	domain in addition to machines owned by the school. The
	privately owned machines are usually not under direct control
	of the school's Information Systems or equivalent department.
   2) Most of the schools do not run a firewall that attempts to
	protect the entire school. Some of the schools have a firewall
	in some areas, often to reduce liability of the medical schools
	or university medical facilities.
   3) Most of the schools have a very diverse heterogenous computing
	environment. Few, if any, of the schools desire to standardize
	solely on Microsoft operating systems.  There's a difference
	between compatible, interoperable, and interchangeable, the
	last attribute is a characteristic of a truly 'open' system.
   4) Most, but not all, of the schools have an existing Kerberos
	version four infrastructure. Not all of the machines using
	Kerberos version 4 clients are under the direct control of IT
	resources.
   5) Campuses are not closed environments. Most of the schools contain
	areas where the public may gain easy access to facilities, such
	as libraries.
   6) I'd like an Internet-accessible directory service, a replicated
	directory service for basic contact info, accessible to Internet
	via web, LDAP, ph?, separable from the authentication database
	for security and robustness reasons, supporting access controls
	by source addr and/or authenticated user.
   7) I need a campus-wide file service a la AFS.
   8) Cluster workstations (nomadic use):  we'd like any of our many
	users to be able to walk up to an NT workstation, log in via a
	central service and [quickly] get their 'home' environment served
	up to them, including applications and personal files.  On log
	out, their state should be wiped.
	  - roaming profiles and concurrent use (logged in on 2+ systems
		at once)
	  - interoperation/integration for heterogeneous OS environs?
		any plan for central, interoperable storage of:
		. bookmarks
		. private keys
		. app. config data
	  - which aspects of these strategies would be related to ADS,
		which are related to ZAW, SMS, or the logo requirements?

Technical Issues/Questions:
    1) Kerberos interoperability, architecture of the domain
	controllers, basic security differences between UNIX and NT,
	e.g. impersonation instead of process based, except of course
	for service or the new MSI.
	- server integration issues
	- client-side support, support in apps, in http
	- migration tools for going from UNIX KDC to NT KDC
	- any chance of NT KDC as replica of non-NT KDC?
	- v4 compatibility
	- shadow realm vs. single realm
    2) Directory services, subdomains..
	- including entry naming and how to lay out the tree
	- at the PDC there was mention of someone providing a domain
	  controller running on UNIX. Who is doing this? What flavors
	  of UNIX? When?
	- benchmarks to add a few thousand users to an NT ADS via LDAP?
	- limits on group nesting
	- issues for existing X.500 server or LDAP infrastructure
    3) DHCP Service
	- details on the default address assignment when no DHCP server
	  is detected.
	- Do they suggest a DHCP server to use if we don't use the MS
	  DHCP server?  (They tell us that we can use BIND 8.x instead
	  of their nameservers, so...)  If not, what services apart from
	  raw answering of queries should it support?  In particular,
	  what needs to be supported if we want to run a non-ms DHCP
	  server with the MS DNS servers?
    4) DNS Service
	They say we can use bind 8.x and still accomplish things.
	However:
	- If we use bind, how do we get the data we must add to the
	  configuration files if we don't support dynamic updates? 
	  Specifically, I want to know what we need to add to the zone
	  files to support all of those funny names based on SIDs, GUIDs..
	- any plans to support DNSSEC, as well as TSIG, for DNS security?
    5) IPSec
	- Which NT5 beta will support the latest IPSec RFCs? How well
	  will it interoperate with non-IPSec hosts?
    6) NT as Router/firewall
	NT servers can now be routers. How do we suppress this ability on
	our campus, including dorm machines which we don't own or control?
    7) Can you do Traffic or Service monitoring or filtering on the local
	machine?  NT-Server only?
    8) Time syncronization
	where do they get the time?  NTP? Something else? How secure is
	it?  Can we replace this with NTP?
    9) Windows Terminal Server (Hydra): scaling, security, licensing,
	UNIX client availability?
   10) transaction server
   11) Web Application development; If you aren't *quite* ready to
	abandon Macs and/or Unix desktops, what technology makes the most
	sense?  java applets, native java with push, activex controls,
	dhtml, ...
   12) securing a domain controller so that it functions but offers no
	other services and minimal entry points?
   13) File and print services
	- authentication (cross platform)
	- client-server integration (cross-platform)
   14) PKI
	- AD and Kerberos
	- Integration
	- PGP support in addition to S/MIME?
   15) ZAW (Zero Admin Windows), MSI (Microsoft Installer), and SMS
	(Systems Management Server)
	- how do we deploy a 100 new machines at a time with preinstalled
	  software configurations?
	- can we do multi-tiered software configuration control (site,
	  dept, group, user)
	- installation, update, inventory..
	- NT logo requirements, MSI:  our developers need to make sure
	  that they write applications that will be easy to support. ZAW,
	  MSI and the logo program claim to help. How did Microsoft reach
	  these conclusions.  Do the requirements meet our needs if we
	  are not exclusively using Microsoft networking solutions?
	  (e.g. Netware or the NT AFS client).
   16) Can we talk about the case *against* Directory Enabled Networks?
   17) What is MS doing about QoS, e.g. tracking port-agile
		delay-sensitive apps, and their RSVP plans.
   18) IPv6 is going to happen because MS corporate customers want to
	run it behind their firewalls/NAT boxes.  Can you say
	"NAT doesn't like IPSEC"?  Which one is going to give?  
   19) Why Linux will survive NT
   20) What?  You can't do TCP wrappers on NT??
   21) SNMP - multi-agent support via AgentX?